Interacting with the web application provided by the Docker VM, we notice it is running a WordPress instance:


Figure 13.4: WordPress application served by the VM

The next step in our attack will be running the wpscan tool and looking for any low-hanging fruit, and gathering as much information about the instance as possible.


The wpscan tool is available on Kali and almost any other penetration-testing-focused distribution. The latest version can be pulled from

We can start our attack by issuing a wpscan command in the attack machine terminal. By default, passive detection will be enabled to look for ...

Get Becoming the Hacker now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.